CISO Assistant is intended to be a multi-paradigm tool to suit everyone's background and approch to cyber security program organisation.

With that being said here are some standard recommendations to get the most of it, if you are just starting:

1. Map your organisation to the domains/perimeters (or create basic ones)

2. Add your users and assign them to the groups (SSO and MFA available even in Community)

3. (recommended) Identify what are the assets to protect

4. (recommended) Enumerate your existing capabilities/controls

5. Define your baseline and focus on the basics - pick your controls and/or create new ones

6. Get your actions implemented and reflect that on your audit progress

7. Conduct a contextual risk assessment

8. Share the insights with your organisation, review the priorities, and keep it alive

9. Expand your coverage: periodic tasks, incidents, TPRM, findings managements, etc.

10. Always keep focus on the actions and reflect their data on the other concepts

New! Config Builder

Customize the local deployment according to your needs:

Docker compose

Make sure to have Docker and Docker Compose installed on your system.

• clone the repo:

git clone https://github.com/intuitem/ciso-assistant-community.git

• run the preparation script and follow the instructions:

./docker-compose.sh

you can also find other variants for different setups as a starting point for your specific needs.

Remote/Virtualization

Deploy on a VPS

Helm chart

Make sure to have Helm binary installed and switch to your cluster context.

1. add the helm repository

helm repo add intuitem https://intuitem.github.io/ca-helm-chart/

1. get the default values

helm show values intuitem/ciso-assistant > my-values.yaml

1. check and adjust them to your needs, specifically the frontendOrigin parameter

2. create a namesapce for your deployment

kubectl create ns ciso-assistant

1. install

helm install my-octopus intuitem/ciso-assistant -f my-values.yaml -n ciso-assistant

Decoupling compliance from security operations and controls is a cornerstone of CISO Assistant philosophy. Let's see it through this short animation:

1. Once logged in, the first step is to create a domain. Let's call it R&D.

2. Then we create the perimeter inside of it or from the perimeter list view.

A different take on Cyber Security Posture Management

• explicitly decoupling compliance from cyber-security practices implementation

• providing simplified tools for decision-making

• providing capabilities for a program, product, or an organization assessment against standard frameworks

• you can bring your own framework as well using a simplified DSL

• aim to be a one-stop-shop for cyber security management and cover the layers of GRC (Governance, Risk and Compliance)

An open-source GRC tool

CISO Assistant is open source and the code is available on GitHub. Just follow the instructions to deploy it yourself or go to our website to request a cloud trial instance. You can read the full article about our switch.

About the SaaS and PRO plan

Quick links

Get Started

In a hurry? checkout the 🌐 External resources for overviews in English and French 🤗

We've put together some helpful guides for you to get setup with our product quickly and easily.

Model

We've detailed our model to help you understand how everything is organized

"I'm just curious and want to see what the tool is about."

Quick start and pick your framework and/or matrix

"I need to comply with a specific regulation or standard"

• Identify the scopes (domains/perimeters)

• Pick your frameworks

• Start an audit

• Link or create your applied controls

• ♻️ Track the applied controls progress, attach evidences and reflect the progress on the audit

"I want to conduct risk assessments and keep track on a risk register"

• Identify the scopes (domains/perimeters)

• Pick your matrix

• Add or import your assets

• Add or import your threats

• Start a risk assessment

• ♻️ Identify your scenarios, assess them, link or create the applied controls, and the reflect the progress on the risk level

"I have multiple vendors that I need to identify their cyber security posture"

• Identify the scopes (domains/perimeters)

• Create the vendors (entities) and their products or services (solutions)

• Identify a framework to assess them and trigger an entity assessment

• ♻️ Track the audits progress, assign controls and make your opinion

"I have a list of findings or issues that I need to track"

• Identify the scopes (domains/perimeters)

• Start a follow-up

• Add or import your findings

• Link or create the applied controls

• ♻️ Track the applied controls progress and reflect that on your findings status

1. Firstly, we need to import some external objects before starting our risk assessment: a matrix, threats and reference controls.

2. We can create the risk assessment, and let's take a look inside.

3. We find three parts: details about the assessment, the list of associated risk scenarios and the risk matrix view.

4. Let's add the first scenario and do the current assessment of it.

1. From now on, you won't necessarily follow the same steps depending on your needs. In this example I choose to mitigate the scenario by creating an applied control for it.

2. We go back in the scenario edit view, add the freshly created applied control, do the residual assessment and choose a strength of knowledge level.

Congratulation! 🎉 If you followed the three last pages, you have just created your first assessments on CISO Assistant! The following section will show you how to use our management tools 🔎

Analytics

The main page to manage your perimeters through time. You can focus on risk or compliance with their respective tabs or have a global view from the governance one.

You can find on the bottom of the governance tab an applied controls ranking score and a watch list to warn you about incoming deadlines on applied controls or risk acceptances.

Composer

This is a specific tab where you can cross-referencing analytics from different risk assessments.

It will also tell you if one or many selected risk assessments should be reviewed based on inconsistencies found by x-rays.

Calendar

An integrated calendar to track the ETA of upcoming/expired applied controls or risk acceptances.

Live sessions

LinkedIn

Youtube

# Social medias

Users reviews

• https://www.linkedin.com/posts/nathan-lemaire-cyber_ciso-assistant-guide-pas-%C3%A0-pas-activity-7282010527881433088-r_Lg

• https://www.linkedin.com/posts/activity-7193144709987401729-oZW1

Blogs

• Blog Quercylibre

X-rays

X-rays is a very useful page to detect inconsistencies across your assessments for each perimeter. There are 3 type of reports:

• info: advice or reminder for status and relevant empty fields

• warning: potential errors to be determined by the user

• error: errors that must be corrected

Scoring Assistant

Trouble assessing your risk ? 🤔

Based on OWASP Risk Rating Methodology, scoring assistant is here to help you determine the risk level for your scenario. Choose between technical or business impact and select the appropriate answers to the questions.

Glossary

This is the end of the basic tutorial to start with CISO Assistant 🎬 You can go further by exploring its glossary, or checking the data model directly on GitHub.

Multiple frameworks have their requirements organized into subgroups, mostly cumulative but not always. We introduced it in v1.3.x better support for such a concept using the concept of implementation groups from CIS, but with a generic implementation to cover both cases.

When creating a new audit with a framework that supports implementation groups (IG), you'll get a drop-down menu to select the ones you want to use. They can be combined to suit your needs. If no implementation group is selected, the audit will start with all the requirements, and you can still update it to add or remove other IG.

CyFun and CIS, and FedRamp have been updated to take advantage of this feature. Other relevant frameworks are currently being updated.

Providers

Configure CISO Assistant with SAML

Once you've retrieved the IdP Entity ID, the Metadata URL and the Entity ID from your provider (see the for specific details), the configuration on CISO Assistant is pretty simple.

1. Log in into CISO Assistant as an administrator > Extra > Settings
2. Enable SSO
3. Enter the Idp Entity ID
4. Choose the option 1 or 2 depending of your provider and fill Metadata URL or SSO URL, SLO URL, x509 certificate retrieved from your provider
5. Check that the SP Entity ID is similar to the Entity/Client ID specified on your provider
6. And that's it ! Don't forget to save changes

7. You should now be able to see the Login with SSO button

Configure CISO Assistant with OpenID Connect (OIDC)

Once you've retrieved the IdP Entity ID, the Metadata URL and the Entity ID from your provider (see the list of providers for specific details), the configuration on CISO Assistant is pretty simple.

1. Log in into CISO Assistant as an administrator > Extra > Settings
2. Navigate to SSO settings
3. Enable SSO
4. Select the OpenID Connect provider
5. Enter the Client ID
6. Enter the Client secret
7. Enter the Server URL

8. And that's it! Don't forget to click the 'Save' button

9. You should now be able to see the Login with SSO button

The recommendation system allow you to create applied controls and automatically assign them to your audit requirements, based on the reference controls of the catalog:

When new upgrades are available for a library, you can choose to pull the upgrade on your existing audits. This is pretty useful for applying nondestructive updates such as typo fixes, adding implementation groups, and so on.

One common challenge when dealing with audits is about being able to reuse your assessment on one framework to move to a different one. This commonly refered to as mapping or crosswalk between standards.

This capability is supported on CISO Assistant and allows the user to create a projection of the content of an audit, given that a mapping is available. Mapping are library objects that can be customized, imported and submitted to the community. To see the available ones, head to the libraries store and filter to mapping:

Mappings are essentially a representation of the links between assessable nodes of a framework, and for which we are using the convention documented on NIST's OLIR project.

Mapping is a directed graph linked a SRC framework to a TGT framework on which the nodes can have one of the following relationships:

To create yours, you can follow one of the examples on /tools or bootstrap a starter using the prepare_mappingscript.

To apply a mapping, you needt to first load a mapping from the library. Then, head to your audit and click on apply mappingand select the targeted framework and see the projected being created ✨.

Note: the apply mapping feature can also be reused to clone the audit and create a new revision, if the same framework and same scope are selected.

1. After creating the perimeter, we'll have to import a framework, for example ISO/IEC 27001:2022.

2. Once it is imported, we can now create the compliance assessment (ISO/IEC 27001:2022 is auto-selected as it is the only imported framework).

3. You can edit it if needed, or go directly into the assessment. Each requirement has a To do status by default.

4. Finally, we can select a requirement and start its assessment by adding applied controls or evidences and update its status to complete the progress bars.

Overview

If the object supports the domain column, the wizard will attempt to add the object to it, given you have the permission to do so. If the domain is not set, the wizard will default to the fallback domain set on the wizard form.

Fields with (*) are mandatory and don't have any supported fallback.

📦 Assets

Template

Supported fields

• ref_id

• name*

• description

• domain

• type

  • PR : primary

  • SP : supporting

Special considerations

• type will default to supporting if not set

⚙️ Applied controls

Template

Supported fields

• ref_id

• name*

• description

• domain

• status

  • to_do

  • in_progress

  • on_hold

  • active

  • deprecated

• category

  • policy

  • process

  • technical

  • physical

  • procedure

• priority

  • integer from 1 to 4

• csf_function

  • govern

  • identify

  • protect

  • detect

  • respond

  • recover

Special considerations

• status will default to to_do

• csf_function will default to govern

📦 Perimeters

Template

Supported fields

• ref_id

• name*

• description

• domain

• status

  • undefined

  • in_design

  • in_dev

  • in_prod

  • eol

  • dropped

📃 Audits

Template

To avoid any mixup on the expected fields and the requirements reference, you can get a template for the expected framework by going into Catalog/Frameworks

The framework needs to be loaded and when clicking on it, you'll see a button to get the excel file.

Supported fields

• urn*

• assessable

• ref_id*

• name

• description

• compliance_result

  • not_assessed

  • partially_compliant

  • non_compliant

  • compliant

  • not_applicable

• requirement_progress

  • to_do

  • in_progress

  • in_review

  • done

• score

  • integer from 0 to 100

• observations

Special considerations

• The wizard will attempt to match based on the ref_id and fallback to the urn otherwise. If none could be used, the row will be skipped.

• name and description columns are not used but serve as an anchor point for reference.

• Unassessable rows are skipped.

🐞 Findings followup (eg. pentest)

Template

Supported fields

• ref_id

• name*

• description

• severity

  • low

  • medium

  • high

  • critical

• status

  • identified

  • confirmed

  • dismissed

  • assigned

  • in_progress

  • mitigated

  • resolved

  • deprecated

👥 Users

Supported fields

• email

• first_name

• last_name

☣️ Risk assessment

The risk assessment is an advanced object that needs special considerations. Make sure to pick the matrix that will be used to map your labels to the values on CISO Assistant. If you have a specific matrix, you should start by including it as a custom library.

inherent_level, current_level and residual_level are kept on the excel sample just for visual aid. The application computes them based on impact and probability to ensure consistency with the matrix definition.

Controls are created on picked based on the perimeter's domain. Line breaks are used as seperator.

Supported fields:

• ref_id

• name*

• description

• inherent_impact

• inherent_proba

• existing_controls

• current_impact

• current_proba

• additional_controls

• residual_impact

• residual_proba

Threat

A threat is the potential cause of an incident that may result in a breach of information security or compromise business operations (ISO 27000). Threats are used to clarify the aim of a requirement or an applied control. They are informative, assessments can be realized without using them. Threats can be imported from a library, but you can create your own threats in the global domain or in a specific domain.

Reference control

Reference controls are templates for applied controls. They facilitate the creation of an applied control, and help to have consistent applied controls. They are optional, but recommended. Reference controls can be provided by security frameworks that are imported from a library, but you can create your own reference controls in the global domain or in a specific domain.

Applied control

Applied controls are fundamental objects for compliance and remediation. They can derive from a reference control, which provides better consistency, or be independent. Applied controls are always defined by the entity and can be attached to the global domain or in a specific domain.

Asset

An asset refers to any piece of information that holds value to an organization. These assets can be digital or physical and encompass a wide range of data types, including customer records, financial information, intellectual property, employee records, proprietary software, marketing materials, and more. Assets are always defined by the entity and can be attached to the global domain or in a specific domain. There are two types of assets:

• Primary assets are core resources directly contributing to an organization's main objectives, like machinery or intellectual property.

• Support assets indirectly aid primary functions, such as IT systems or administrative services.

Go into your Okta admin console (it should look like this: https://<your_url>.okta.com/admin/dashboard)

1. In the sidebar menu, click on Applications > Applications
2. Click now on Create App Integration
3. Select SAML 2.0 and click on Next
4. Choose an App name and click on Next
5. Add the Single sign-on URL: <base_url>/api/accounts/saml/0/acs/ (for example with localhost: https://localhost:8443/api/accounts/saml/0/acs/) (see screenshot below)

6. Add the Audience URI (SP Entity ID), it has to be the same than SP Entity ID in CISO Assistant (see screenshot below)

7. Choose Email as the Application username
8. Add Attribute Statements

   • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname for user's first name

   • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname for user's last name
9. Click on Next and fill in the Feedback page as you wish then click on Finish
10. In the Settings box inside SAML 2.0:

    • Copy the Metadata URL and paste it into the Metadata URL field in CISO Assistant

    • Copy the Issuer url and paste it into the IdP Entity ID field in CISO Assistant
11. Go to the Assignments tab
12. Click on Assign and choose whether you want to assign users or specific groups

You can now configure CISO Assistant with the 3 parameters you've retrieved.

The graph explorer helps you understand and navigate the cross walks between the frameworks.

If you have a screenshot on your clipboard, you can directly paste it into the file field to have it as evidence instead of going through an intermediate file as illustrated below:

You can now configure CISO Assistant with the parameters you've retrieved.

Prerequisites

• A smartphone with an authenticator app installed

• Access to your account settings on CISO Assistant

Enable MFA

1. Sign in to your account and navigate to 'My profile'

1. Select the 'Settings' button

2. Look for the Security section and click 'Enable 2FA'

3. Set up your authenticator app:

   • Open your authenticator app on your smartphone

   • Scan the QR code displayed on your screen

   • Alternatively, you can manually enter the provided secret code into your authenticator app
4. Enter the 6-digit verification code shown in your authenticator app

5. Click 'Enable 2FA' to complete the setup

Important: Save Your Recovery Codes

After enabling MFA, you'll receive a set of recovery codes. These codes are crucial for regaining access to your account if you:

• Lose your phone

• Uninstall your authenticator app

• Cannot access your authenticator app for any reason

Next Steps

• Test your MFA setup by logging out and back in

• Reach out for support if you encounter any issues during setup

Go into your Azur portal home

1. Open the sidebar menu and click on Microsoft Entra ID
2. Click on Add button > Entreprise application
3. Click on Create your own application
4. Enter a name and then click Integrate any other application you don’t find in the gallery (Non-gallery)
5. Click on Single sign-on from the sidebar menu or on Set up single sign on bellow Getting Started and choose SAML
6. In the first box Basic SAML Configuration, specify the Entity ID, it has to be the same than SP Entity ID in CISO Assistant (see next screenshot)

7. Add the Reply URL: <base_url>/api/accounts/saml/0/acs/ (for example with localhost: https://localhost:8443/api/accounts/saml/0/acs/)
8. In the third box SAML Certificates, copy the App Federation Metadata Url as it is the Metadata URL in CISO Assistant (see next screenshot)

9. In the fourth box Set up <App_name>, copy the Microsoft Entra Identifier as it is the IdP Entity ID in CISO Assistant
10. Make sure you use the same Identifier (Entity ID) that you've set earlier and appear on block 1, on CISO Assistant SP Entity ID:

11. Click on Users and groups in the sidebar menu, and Add user/group to give them access to CISO Assistant with SSO. The matching key will be the email and you'll be able to grant their permissions on the applications.

You can now with the 3 parameters you've retrieved.

Under Organization, click on Users and then Add user:

Set up the email of the new user:

Once created, a new user doesn't have any permissions by default. Click edit and update the user groups:

If you are working on a single domain, or working on solo, you might just set `Global - Administrator`

When the user are added, and if the mailer is set, he/she will receive an email to set up the password. If not, you can set a temporary password as illustrated above.

Learn how to create and customize roles such as DPO and OPS within your organization

Sign in as an Admin on your CISO Assistant instance and follow the steps below.

1. Introduction

This guide walks you through setting permissions and assigning user groups to streamline your CISO Assistant's role management.

2. Click "Organization"

Navigate to the Organization section to begin managing your team's roles.

3. Click "Roles"

Access the Roles tab to view and modify existing roles.

4. Click here

Initiate creating a new role by selecting the option to add one.

5. Fill "DPO"

Enter the name for the new role, such as 'DPO', to define its identity.

6. Click "Save"

Save the newly created role to confirm its addition to your organization.

7. Click here

Open the permissions settings for the new role to customize access.

8. Click here

Expand the permissions list to view all available options.

9. Click "Select all"

Select all permissions to grant comprehensive access to the role.

10. Click "Save"

Save the permission settings to apply them to the role.

11. Click here

Start creating another role by selecting the add role option again.

12. Fill "OPS"

Name this role, for example 'OPS', to specify its function.

13. Click "Save"

Save the role to add it to your organization's role list.

14. Click here

Access the permissions for the newly created role to tailor its access.

15. Click here

Open the detailed permissions menu to adjust specific controls.

16. Click here

Select the option to edit applied controls for fine-tuning.

17. Click "Edit applied control"

Modify the applied control by entering a specific control number, such as '205'.

18. You can select an individual permission

Confirm the changes made to the applied control settings.

19. Click here

View the applied control details to verify the configuration.

20. Click here

Update the applied control with another control number, like '207', if needed.

21. Click here

Return to the permissions overview to continue adjustments.

22. Or you can click "Select all"

Select all permissions to ensure full access for the role.

23. Click "Save"

Save all permission changes to finalize the role's capabilities.

24. Click "User groups" to see your newly added roles

Switch to the User Groups section to manage group memberships.

26. Click "Users"

Navigate to the Users tab to assign roles to individuals.

27. Click here

Select a user to modify their group memberships and roles.

28. Click here

Open the user's group assignment settings to begin editing.

29. Fill "OPS"

Enter the role name, such as 'OPS', to assign it to the user.

30. Click "ACME - OPS"

Choose the corresponding user group, like 'ACME - OPS', for the role.

31. Fill "DPO"

Input another role name, for example 'DPO', for additional assignments.

32. Click "Global - DPO"

Select the matching user group, such as 'Global - DPO', for this role.

33. Pick your user groups

Review all assigned user groups and roles to ensure accuracy.

34. Click "Save"

Save the user group and role assignments to complete the process.

This guide detailed how to create and configure custom roles like DPO and OPS, assign comprehensive permissions, and manage user group memberships effectively. It ensures your organization’s roles are tailored and users are properly assigned for optimal access control.

Go into Google Workspace Admin console

1. On the sidebar menu, go to Applications > Web and mobile applications
2. Click on Add an application > Add a custom SAML Application
3. Enter ciso-assistant or the name of your choice and click on continue
4. You can copy the SSO URL, Entity Id and x509 certificate here but you'll be able to retreive them later
5. Fill ACS URL with <base_url>/api/accounts/saml/0/acs/, enter the Entity ID which has to be the same than SP entity Id in CISO Assistant (ciso-assistant by default) and choose Email in Name ID Format
6. Add two mappings for First name and Last Name, fill them with those two values: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
7. On application home page, you can now find the Entity ID, SSO URL and x509 certificate

You can now with the 3 parameters you've retrieved.

Policy

A policy is a specific type of applied control that consist of a document describing what is expected from some parts of your stakeholders.

Putting your cybersecurity policies in CISO Assistant will make them readlily available for compliance assessments, and will allow you to manage their lifecycle.

Risk matrix

To perform risk evaluation, CISO Assistant uses a risk matrix that calculates the risk level as a function of the probability and the impact of a scenario.

Risk matrices have to be imported from a library. Use either one provided by default, or define your own matrix with a custom library, as documented in our github repo.

Most often, entities define an official risk matrix that should be used for all risk assessments. But CISO Assistant let you choose your risk matrix for each assessment if you need to use several of them. However, it is not possible to change the risk matrix once the assessment is created.

For now, it is not possible to create custom role assignments so you need to use built-in user groups. They are linking a domain with a role which contains precise permissions, that will be given to users in this group.

Roles

Let's give some details on the 5 built-in roles:

Global user groups

Once your instance is created, three user groups are already present:

• Global - Administrator

• Global - Approver

• Global - Auditor

They give corresponding permissions on Global scope so on every object of your instance.

Domain user groups

They are created for each domain you add. For example, if you create a domain R&D, there will be:

• R&D - Domain Manager

• R&D - Analyst

• R&D - Approver

• R&D - Auditor

They give corresponding permissions on the domain scope so on every object inside R&D.

The recommended pattern for local deployment is to use Docker Compose. Check the Readme file on the CISO Assistant repo for the latest instructions.

The compose file will manage three containers and set the required variables:

• Front

• Back

• Caddy (proxy)

• Make sure to have a recent version of Docker installed

  • On a Linux distro with a server flavor, make sure to remove older versions and install the latest one using the proper Docker repos to avoid twisted setups. Check out the instructions at https://docs.docker.com/engine/install/ubuntu/

• On Windows, Docker Desktop+WSL is recommended

• On MacOS, Docker Desktop covers the requirements

Using prebuilt images

Run:

./docker-compose.sh

It will clean up previous images and get the latest stable release.

Once the images are downloaded and migration triggered, you should see a prompt asking you to set the first superuser. Follow the instructions to set it, and you should be ready.

In case you are running on an unsupported architecture, you can open a GitHub issue so that we add its support or use the next steps to build the images locally.

Re-building the images locally

Alternatively, if the previous configuration didn't succeed, run:

./docker-compose-build.sh

SSL Warning

Given that Caddy is using a self-signed certificate, your browser will mention a warning that you can accept and continue.

Framework

The fundamental object of CISO Assistant for compliance is the framework. It corresponds to a given standard, e.g. ISO27001:2022. They can be imported from the library. If you don't find a framework which fits your needs, no worries, you can build your own framework and add it to CISO Assistant!

Audit

This allows you to assess your compliance with the chosen framework through different statuses for each requirement that requires one of the following:

• To do

• In progress

• Non compliant

• Partially compliant

• Compliant

• Not applicable

Evidence

Evidence allows you to use a description, link or file to justify the status of a compliance requirement or to prove that a control has been applied. They can therefore be associated with different applied controls or requirement assessments.

Hands-free

The easiest way to update your on-prem/local instance (pro or community)

Run the script update-ciso-assistant:

./update-ciso-assistant.sh

Detailled steps

In case of issues (unsupported shell, windows, etc.) here are the steps to consider:

1. backup your db:

   1. if you're using sqlite, copy the file under a different name

   2. if it's postgresql you can use something like pgdump

1. stop and clean the containers, this won't affect your data

docker compose rm -fs

1. restart the compose and let it handle the migration

docker compose up -d

Edge cases

Force remove the previous docker images to get the new ones

docker rmi ghcr.io/intuitem/ciso-assistant-community/backend:latest ghcr.io/intuitem/ciso-assistant-community/frontend:latest 2> /dev/null

Prerequisites to Install CISO Assistant On-Premises

1. Hardware Requirements:

   1. CPU: 4 cores

   2. RAM: Minimum 8 GB

   3. Storage: Minimum 10 GB (consider more for evidences)

You can start with lower specs of course for testing.

1. Software Requirements:

   1. Ubuntu/Debian, CentOS, RHEL: LTS versions recommended when applicable*

   2. Docker 27 or up, with Docker compose, or Kubernetes Cluster 1.29 or up

   3. Postgres 16 or up if you are choosing this variant

   4. Any SMTP compatible Mailer

*most Linux distributions supporting Docker should be compatible but have not been tested. Some distributions are not using the official repositories so make sure to follow the instructions from docker page.

Setup the following environment variables:

DEFAULT_FROM_EMAIL=purple@ciso-assistant.fr
EMAIL_HOST=localhost
EMAIL_PORT=1025
EMAIL_HOST_USER=purple
EMAIL_HOST_PASSWORD=dummy-unsafe-example
EMAIL_USE_TLS=True

Note: Docker Compose Environment Variables

When using Docker Compose, avoid spaces around the = sign in environment variable definitions. Spaces cause variables to be silently ignored.

Correct: MY_VARIABLE=value Incorrect: MY_VARIABLE = value

You can configure your own Certificate by replacing the line tls internal in the docker-compose.yml by tls <cert_file> <key_file>. Here is Caddy documentation on this https://caddyserver.com/docs/caddyfile/directives/tls

Before doing this, there is just one step, you need to add the cert_file and the key_file inside caddy container.

You have basically two ways to do it:

• Adding the two files inside caddy_data directory, as it is already mounted by default in the volumes, and specify the path to the files:

caddy:
    container_name: caddy
    image: caddy:2.10.0
    ...
    volumes:
      - ./caddy_data:/data
    command: |
      sh -c 'echo $$CISO_ASSISTANT_URL "{
      reverse_proxy /api/* backend:8000
      reverse_proxy /* frontend:3000
      tls /data/<path>/cert_file /data/<path>/key_file
      }" > Caddyfile && caddy run'

• If you don’t have this volume or you want to add another, create a repository at the same level of your docker compose file for example /certs, add the files inside and moun it:

caddy:
    container_name: caddy
    image: caddy:2.10.0
    ...
    volumes:
      - ./caddy_data:/data
      - ./certs:/certs
    command: |
      sh -c 'echo $$CISO_ASSISTANT_URL "{
      reverse_proxy /api/* backend:8000
      reverse_proxy /* frontend:3000
      tls /certs/cert_file /certs/key_file
      }" > Caddyfile && caddy run'

Since CSA and CIS have more restrictive terms on their licenses, users need to perform an extra action by downloading the sheet on their side and running the preparation script as described in the tools folder.

To import the CIS Controls, you need to prepare the file first. The easy way, once you have python and the conver_library depdencencies installed, is to copy the Excel sheet as-is (CIS_Controls_Version_8.xlsx) into the tools folder and run convert_cis.sh

CIS controls converter can be found under tools/excel/cis

CCM converter can be found under tools/excel/ccm

Afterwards, you can upload the generated yaml file as a custom library and load it.

Alternatively, you can run the prep script first (cis/prep_cis.py) and mention any short string as the packager and then pass the new Excel sheet to the convert_library.py

Risk assessment

You can create risk assessments in your perimeters. A risk assessment encompasses:

• risk identification, when you define your risk scenarios

• risk analysis, when you assess the probability, impact and strength of knowledge for each scenario

• risk evaluation, which is done automatically based on the selected risk matrix

In CISO Assistant, risk treatment is combined with risk assessment.

Risk scenario

The scenarios can be defined directly from the risk assessment view or separately via this view.

Risk acceptance

Risk acceptance is when an organization or individual decides to tolerate a certain level of risk without taking further action to reduce it. This view allows to manage a workflow to get formal approval of risk acceptances by the management. The approver of a risk acceptance must have a user account with approver role. To find out more about risk acceptance, you can have a look to the ENISA risk management process.

A folder organization

For Access Control purpose, CISO Assistant data is organized in a tree of folders. Starting from a root folder called Global, it divide into sub-folders called domains. The organization of the tree is not hard-coded, it is entirely determined by configuration. Any object in CISO Assistant is attached to a folder (including folders), either directly or indirectly through a parent object that is attached to a folder.

So, what is a domain?

A domain permits to organize your work depending on your use of CISO Assistant. For example, inside a company, you can create a domain for each department for which you need to carry out a variety of perimeters, or if you have different customers, you may as well have a domain for each one in order to delimit your work area.

Utility

A domain is the first thing you create on CISO Assistant. It will bring together all objects you need to complete your different perimeters. Every role/permission a user has on a domain are applicable to all objects/actions across the domain. It's all about organization, the only technical aspect is access control, and this is achieved by adding the user to the relevant user group.

Role assignment

In the first/open source version of CISO Assistant, custom role assignment is not available. So, when you create a domain, user groups concerning this domain are automatically created for each built-in role. All you need to do, is to assign your users to their user groups. To learn more about this, jump to User Groups.

Perimeters

Perimeters are fundamental context objects defined by the entity using CISO Assistant. They are grouped in domains. They will contain all your risk and compliance assessments. Apart from being able to group your various evaluations across the different domains.

There are two specific fields, internal reference and status. Here are the various status options:

• -- (None)

• Design

• Development

• Production

• End of life

• Dropped

The purpose of a perimeter is at first, it's organizational aspect to solve a problem. But it also makes it possible to improve analytics by breaking them down according to the different assessments, whether for risk or compliance, so as to make your project management more precise and reduce noise.

User Groups

User groups go hand in hand with domains. they associate permissions with users and define their scope, by being attached to a domain. They follow a simple and consistent RBAC model from a role containing permissions and a domain determining the perimeter. Go to the User Groups page for more details.

This setup aims to expose CISO Assistant on a VPS while using automated Let's Encrypt for certificates management.

1. provision your VPS and make sure it has a public reachable IP - make sure to have the Prerequisites mentioned on that page.

2. Setup your DNS zone to point to the IP of your VPS (A record). Give it sometime to propagate (depends on the registrar). It's better to start with this once you get the IP to give it enough time for propagation.

3. on the following I'm using ubuntu 24.04. So adjust the packages installation according to your OS

4. ssh to your server and perform the following commands:

#update ubuntu repository and OS
sudo apt update
sudo apt upgrade 

# install docker
sudo snap install docker

#install python
sudo apt install python3-pip python3.12-venv

#clone the repo
git clone https://github.com/intuitem/ciso-assistant-community.git

#go to the config generator
cd ciso-assistant-community
cd config

# setting up the python project and dependencies 
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

# run the interactive config generator
python make_config.py

1. Follow the instructions and make sure to do the following:

• select VM/Remote

• Internet facing and ACME ready - yes

• Provide the FQDN you've set on your registrar

• Port to use: 443

It should look like something like this:

1. Keep track of the URL mentioned at the end of the config generator. You can review the generated yml file and adapt it if needed.

# switch to sudo. This can be avoided depending on your docker setup
sudo su 
./docker-compose.sh

Wait for the app to initialize and you will get a prompt to enter the first admin user and the password.

You can go back and update the docker-compose.yml according to your needs or restart the interactive guide to create a new one.

You can choose Traefik or BunkerWeb instead of Caddy using the config builder. Please note that BunkerWeb deployment is still experimental at the moment.

👉 Notes

• The generated file in the config directory will be named docker-compose-custom.yml For subsequent operations with compose, you'll need to specify it with -f

• If you're running docker compose without the -f, it could conflict with the default one on the repository root directory.

• If you're starting a production environment:

  • make sure to disable the debug mode,

  • have your docker-compose-custom renamed and stored out of the repo,

  • have your db folder outside of the repo.

Clean up

cd config
# stop and remove containers
docker compose -f docker-compose-custom.yml rm -fs
# delete the db and proxy config
git clean -fdx .

In you've updated your instance and didn't see the changes on a loaded library, you can do the following to refresh the library to the latest version:

This also applies to custom framework as long as you respect the incremental step of the library's version.

GH OCI registry

1. Getting the values

1. customize as you see fit

2. Install the chart

Legacy

Make sure to have Helm binary installed and switch to your cluster context.

1. add the helm repository

helm repo add intuitem https://intuitem.github.io/ca-helm-chart/

1. get the default values

helm show values intuitem/ciso-assistant > my-values.yaml

1. check and adjust them to your needs, specifically the frontendOrigin parameter

2. create a namesapce for your deployment

kubectl create ns ciso-assistant

1. install

helm install my-octopus intuitem/ciso-assistant -f my-values.yaml -n ciso-assistant

In case you are running it locally with a non reachable FQDN, you might want to consider adding tls internal on the Caddy config for self-signed certificate.

You can contribute to interface translations using a tool called .

1. Copy the URL of the CISO Assistant GitHub repository:

2. Visit and paste the URL you just copied.

3. Sign in using your GitHub account.

4. Click the 'fork' button at the bottom of the page. You may need to refresh the page to start contributing.

5. Select the language(s) you wish to translate, or add new ones.

6. Edit translations.
7. When you are done, you can press the button at the bottom of the page to push the changes you made.
8. When your translations are ready, on .

Read for more information.

CISO Assistant allows you to manage your custom frameworks. The format is a text-based YAML file that you can customize, but it can be tricky to maintain and debug. To manage this, we've introduced a simpler approach to convert Excel sheets using the convert_library.py utility available at the of the repository root.

Structure

The first thing to consider is structuring your requirements into a hierarchy, as illustrated in the example above. Most standards, frameworks, and law documents are already organized this way. This is the depth concept and CISO Assistant has been tested with nodes up to the 8th level depth (documents beyond 6 are mostly hard to read anyway)

Then, the other vital aspect to think about will be which items are actually assessable. For instance, the categories, sections, and subsections are for organization and, therefore, won't be assessable unlike the requirements.

Here is what a standard file should look like accordingly:

This is taken from the sample file available under /tools/sample/sample.xlsx and can be used as a reference.

Implementation groups are an optional argument that can be used to create subset of the requirements per level or a scope of applicability. They can be combined or isolated depending on the framework structure.

File conversion steps

1. Clone the repo and make sure you are at its root

2. Make sure you have Python installed (including pip), version 3.11 or higher is recommended

3. cd to /tools

4. run pip install -r requirements.txt to install the script dependencies

5. copy the sample directory, including the file within, to a new directory at the same level, for instance, myframework/my-custom-framework.xlsx

6. Edit the first tab (library_content) to describe your framework metadata

   1. Implementation groups and score descriptions are optional, so if they don't apply, you can simply remove lines

7. Edit the Excel sheet according to the expected hierarchy.

   1. The order of the items is essential and will be used to build the tree on CISO Assistant. So make sure you're following the previously described structure

8. From the tools folder, run python3 convert_library.py myframework/my-custom-framework.xlsx to generate the yaml file, if a mandatory field is missing, you'll get an error explaining the issue.

9. If everything is good, you'll get a message confirming the generation of the file generating myframework/my-custom-framework.yaml

importing

1. Open CISO Assistant. On the side menu, go to Governance/Libraries then to the Libraries store tab

2. Scroll down to get to Upload your own library section and select your file.

3. If the file is consistent and correct, you'll get a confirmation and it will get straight ahead to your imported frameworks under Compliance/Frameworks section

testing your custom framework

We have simplified the steps of testing custom frameworks starting version 1.3.4 where you can experiment with the same flexibility for both on-premises and SaaS version: \

NEW: Full guide (French)

Stop and restart

docker compose down

docker compose up -d

Getting the logs

All services logs combined:

docker compose logs

Specific service:

docker compose logs backend

Didn't get the prompt for the first user

If you didn't get the prompt to create the first user, or lost the password but you still have access to the infra level, you can trigger the createsuperuser command to fix that.

In your compose file folder, try:

docker compose exec backend poetry run python manage.py createsuperuser

Alternatively, in a docker environment:

docker ps -a | grep backend (this will get you the id of the Backend for CISO Assistant container, keep it for the next step)

docker exec -it <the_container_id> poetry run python manage.py createsuperuser

and you should get a prompt now 😉

Random issues after upgrading

In some rare cases, the migration of database schemas can take longer than expected or fail silently. First thing to check is the backend container logs:

Make sure you share these information if you're reporting an issue on Discord or the Support portal.

If you want to trigger the migration to make sure that all increments have been properly applied:

Healthcheck fails during the installation

most likely because the initialization took longer than expected. Make sure you provide the expected specs or tune the docker compose to give the app more time to finish the init phase.

Don't want / Can't run the init script

The recommended pattern for a first local setup is to go with ./docker-compose.sh ; In case you can't:

Run

wait for the init to finish and then trigger the first user creation manually:

"Payload too large" when uploading a file to the frontend

By default, the BODY_SIZE_LIMIT environment variable is set to 20 MB in the frontend Dockerfile:

In order to upload larger files, this value must be increased. How to do so depends on you rmode of deployment. Here are relevant docs:

To get started with the config builder, make sure you have python and docker installed. Here is an example on ubuntu:

1. If you aim to expose the VM to internet, use this dedicated guide:

2. If you aim to connect from the VM

3. If you aim to connect to the VM from your network

From the VM

This means that you will be using a browser from within the VM so localhost settings are applicable. You can simply use the default ./docker-compose.sh at the root of the repository or trigger the config builder with the following settings:

run ./docker-compose.sh and connect from within the VM using https://localhost:8443

From your network / host OS

• setup a FQDN for your VM and make sure it's known by the host you are connecting from. This will vary depending on your OS. For instance, for linux/mac, you can add a line to your /etc/hosts file such as:

192.168.1.87 ca.homelab.local

in this example, the first part is your VM's ip and the second one will be the FQDN you'll be providing to the config builder and that you will use to connect later on.

Run the config builder and provide the following settings:

run ./docker-compose.sh and connect from your host this time using https://ca.homelab.local:8443

Notes:

• If you don't want to have a specific port, use the port 443 during the settings, given it's not used by another application on your system.

• In the remote setup, if you also want to connect from within the VM, you can add your custom FQDN to the /etc/hosts of your VM but mapped to 127.0.0.1

---

Legacy - Kept for reference purposes

Let's say that you want to setup or experiment with CISO Assistant on a Network or Virtualized environment (eg. Hypervisor) on a remote host, for instance, to use with multiple users:

• Install a recent version of Docker on your remote server

• Given that we are using TLS with Caddy, we need to have DNS entries and not IPs

• The workstations need to be able to reach the remote using an FQDN (DNS entry). If not you can add an entry on your /etc/hosts. Keep track of the remote server DNS as you'll put it on the next step, let's say the remote is cool-vm for instance

• Clone the repo, but don't run anything yet. Edit the docker-compose.yml file as follows: (red is for deletion and green for addition); your diff should look like:

• Five lines need to be edited. Save the file and move to the next step

If you're getting SSL_ERROR_INTERNAL ERROR_ALERT (Can be different on other browsers) blocking you from continuing, make sure that you've made the 5 changes above.

The tls internal (equivalent to -i in CLI mode) parameter of Caddy can present some security issues and is not recommended for production and internet exposure. You should consider proper certificates for that.

You're all set, and you can simply run:

Your CISO Assistant can be reached now from https://cool-vm:8443, and you can skip the SSL warning for the self-signed certificate.

SELINUX

If you have selinux enabled on your distro, you might want to check if it's not preventing the mount volume of the docker compose; you can try something like this:

chcon -Rt svirt_sandbox_file_t ./db

• Translating the interface

• Translating the libraries (in-coming)

If you are familiar with Github and Git, the submission is pretty straightforward:

• fork the git repo and make sure it's sync-ed up

• add the excel sheet under the tools folder,

• you can also add the generated yaml (assuming you have tested it) under backend/library/libraries

• open a pull request and make sure you accept the CLA

and we'll take it from there 👍

If you're not familiar with Github and the handling Git, you can follow these simplified steps using just the UI :

• create your excel sheet based on one of the samples in tools folder

• convert it to yaml using the convert_library.py tool

• Test it to make sure it can be parsed by the app and matches what you are expecting

• sign up on github to create an account and head to ciso assistant repository

• create your fork of the repository

• if it's not your first time, make sure your fork is up to date

• go to the tools folder

• click Add file and click Upload files

• drag and drop the excel file you've prepared or pull it from your filesystem.

• add a commit message, something like "Submitting framework x"

• commit the changes

• if everything went well, you should see a message indicating that you're 1 commit ahead.

• Optional: you can repeat this process to add the yaml file as well but on the backend/library/libraries/ folder instead.

• You can now open the pull request:

There are of course other ways to achieve this in a much cleaner approach, but this is intended for a beginer discovering git and GitHub 😉

Bonus: By changing the application language, any framework that is translated to that language will switch automatically to it.

The list of supported languages is available here https://github.com/intuitem/ciso-assistant-community#supported-languages-

Cyber Risk Quantification on CISO Assistant

This tutorial guides you through performing Cyber Risk Quantification using the CISO Assistant

Go to your instance

1. Introduction

You will learn how to create and configure risk studies, define scenarios with associated assets and threats, apply treatments, run simulations, and analyze results to make informed cybersecurity decisions. Before starting, ensure you have access to the CISO Assistant platform and necessary permissions to create and edit risk studies.

2. Click "Risk"

Click "Risk" to access the risk management section where you can start your cyber risk quantification process.

3. Click "CRQ studies"

Click "CRQ studies" to view and manage your Cyber Risk Quantification studies.

4. Click here

Click here to create a new study for your risk analysis.

5. Fill the required fields of the study

Fill "a study" to name your new study, which helps identify it later.

6. Choose a domain

Click "DEMO" to select the demo environment or dataset for your study.

7. Click "Save"

Click "Save" to store your new study configuration.

8. Click "Add scenario"

Click "Add scenario" to define a new risk scenario within your study.

9. Create your first scenario

Fill "first scenario" to name your initial risk scenario for clarity and tracking.

10. You can select an asset now or do it later

Click "DEMO/Ecommerce portal Primary" to assign the primary ecommerce portal asset to your scenario.

11. You can select a threat now or do it later

Click "DEMO/Ransomware" to specify ransomware as the threat type for this scenario.

12. Click "Save"

Click "Save" to save your scenario settings.

13. Click here

Click here to move to the next configuration section.

14. Select the existing controls that serve as a baseline

Click "Treatment" to define the risk treatment options for your scenario.

15. Click "Simulation Parameters"

Click "Simulation Parameters" to set parameters for your risk simulation.

16. Fill the probability of the current baseline

Fill "0.40" to set the probability or impact factor for the simulation.

17. Setup your lower bound (best case scenario)

Click here to proceed to the next parameter.

18. and your upper bound (worst case scenario)

Fill "100000" to set the worst-case loss estimate for the scenario.

19. Click "Save"

Click "Save" to apply your simulation parameters.

20. Click on the hypothesis and then Click "Run simulation"

Click "Run simulation" to start the risk quantification process based on your inputs.

21. You'll notice that your LEC chart has been generated as well as multiple risk insights

You can hove over the chart for a fine grained review

22. Click here to go back to the scenario

Click "first scenario" to select the scenario for which you want to view simulation results.

23. Let's create a new hypothesis

Click "New hypothesis" to create a what-if analysis for alternative risk treatments.

24. Click "Treatment"

Click "Treatment" to assign treatments to your new hypothesis.

25. and pick one of the controls you want to implement

Click "DEMO/Deploy EDR solution" to select the deployment of an Endpoint Detection and Response solution as a treatment.

26. Click "Simulation Parameters"

Click "Simulation Parameters" to adjust parameters for the hypothesis simulation.

27. update the simulation parameters of this hypothesis

based on your estimate of risk reduction with this treatment plan

28. Update the probability and/or the UB/LB

Fill "0.2" to set the updated probability or impact factor for the hypothesis.

29. Click "Save"

Click "Save" to store your hypothesis simulation parameters.

30. Click "Run simulation"

Click "Run simulation" to execute the what-if analysis and compare results.

31. Let's go back to the scenario to compare the two hypotheses

Click "first scenario" to return to the main scenario view.

32. What if the ROSI is not calculated?

Click your control to jump to its details.

33. Click "Edit"

Click "Edit" to modify treatment or scenario settings as needed.

34. Click "Cost"

Click "Cost" to enter the financial impact or cost associated with the treatment.

35. Describe the Build and Run cost structure

Click here to open the cost input field.

36. Click "Save"

Click "Save" to apply your cost settings.

37. The ROSI will get refreshed when you access the scenario again

Accessing a residual hypothesis details section will show you the calculation of ROSI

38. What if I want a summary of all my scenarios and a portfolio overview

Click "Executive Summary" to view a high-level overview of your risk quantification results.

39. You can go "Back to Study" anytime to refine the scenarios and hypotheses

Click "Back to Study" to return to detailed study configuration.

40. What if I want to set a loss threshold

Click "Edit" to make further changes to your study settings.

41. Click "Tolerance settings"

Click "Tolerance settings" to adjust risk tolerance thresholds for your analysis.

42. Click here

Click here to open tolerance input fields.

43. Click "Save"

Click "Save" to confirm your tolerance settings.

44. Tip: click "Retrigger All Simulations" to refresh all simulations and insights

Click "Retrigger All Simulations" to rerun simulations with updated parameters and settings.

45. Don't forget to use this to go to the parent object

From a hypothesis to its parent scenario, or from a scenario to its parent study

You have successfully completed a Cyber Risk Quantification study using the CISO Assistant. By defining scenarios, assigning assets and threats, configuring treatments, and running simulations, you can now analyze potential risks and their financial impacts. To verify success, review the Executive Summary and ensure simulations reflect your updated parameters. Next, consider exploring advanced hypothesis testing or adjusting tolerance settings to refine your risk management strategy.

Powered by guidde

CISO Assistant: starting an audit

Start your audit confidently with CISO Assistant by setting up your organization's domains and security perimeters. This guide helps you create an audit baseline aligned with ISO/IEC 27001:2022 and understand your organization's security context.

Go to localhost:5173

1. Click "Organization"

Access the Organization settings to begin configuring your domain management.

2. Click "Domains"

Navigate to the Domains section to manage your organization's domain details.

3. Click here

Initiate the process to add a new domain by selecting the appropriate option.

4. Click here

Enter a descriptive name for your new domain to clearly identify it.

5. Fill "explainer"

Save the newly created domain to register it within your organization.

6. Click "Save"

Select the domain you just created to begin setting up its security perimeter.

7. Click "2"

Open the domain details to configure its security boundaries.

8. Click "explainer"

Start adding a new security perimeter to define the domain's protective scope.

9. Click "Add perimeter"

Choose the option to specify the perimeter's characteristics and settings.

10. Click here

Provide a clear and concise name for the new security perimeter.

11. Fill "general"

Save the perimeter settings to apply them to the domain.

12. Click "Save"

Return to the General settings to prepare for audit creation.

13. Click "General"

Begin creating a new audit to assess your organization's security posture.

14. Click "New Audit"

Select the option to add a new audit baseline for evaluation.

15. Click here

Name your audit baseline to reflect its purpose or scope.

16. Fill "my baseline"

Specify the audit type or category to align with your compliance goals.

17. Click here

Choose the relevant standard or framework for your audit.

18. Search "iso"

Select the International standard ISO/IEC 27001:2022 to align with recognized security practices.

19. Click "International standard ISO/IEC 27001:2022"

Confirm and save your audit configuration to proceed.

20. Click "Save"

Access the detailed audit sections to review specific requirements.

21. Open the tree structure

Select the section focused on the organization's context for information security.

23. Enter an item to review/update it

Ensure your Information Security Management System (ISMS) aligns with your organization's context by addressing these factors.

This guide walked you through setting up domains and security perimeters, creating an audit baseline, and aligning your ISMS with ISO/IEC 27001:2022 standards. You learned to identify organizational factors critical to achieving information security objectives.

Powered by guidde

Access the online documentation

Enable the documentation locally

Enable debug mode

export DJANGO_DEBUG=True

Start the backend server (make sure that dependencies are installed):

python3 manage.py runserver

Access the swagger documentation here:

http://127.0.0.1:8000/api/schema/swagger/

Or redoc format here:

Interacting with the API

• Start by creating a PAT, instructions hereGenerating a PAT

• Use this token to form your Authorization header, it needs to be as follows:

Authorization: Token <your_token>

Then you can use with any rest client or within your application or script:

Or with curl:

curl --request GET \
  --url http://127.0.0.1:8000/api/assets/ \
  --header 'authorization: Token a6a120f....'

Notes

• make sure to add the trailing slash '/'

• your endpoint is your instance URL. If the proxy settings are the default ones, it will be the same url but with /api/ (in which case you don't need to add it)

• Pro SaaS users need to open a support request to expose the API on their instance. It's disabled by default.

Getting a PAT (Personal Access Token) for CISO Assistant

Learn how to generate a Personal Access Token (PAT) for CISO Assistant quickly and securely

First you need to sign into your instance

1. Introduction

This guide provides clear steps to create, name, set expiration, and copy your PAT for seamless integration.

2. Click here

Access your account menu by selecting your profile icon in the application interface.

3. Click "My profile"

Navigate to the 'My Profile' section to manage your personal account settings.

4. Click "Settings"

Open the 'Settings' tab within your profile to configure advanced options.

5. Click "Generate new token"

Initiate the creation of a new Personal Access Token by selecting 'Generate new token'.

6. Click here

Click the input field to name your token, providing a clear and descriptive label.

7. Fill "testing"

Enter a meaningful token name to help you identify its purpose later.

8. Click "30"

Set the token's expiration by choosing a predefined duration from the available options.

9. Fill "90"

Alternatively, specify a custom expiration period to suit your security needs.

10. Click "Generate new token"

Confirm the token generation by clicking the 'Generate new token' button.

11. Click "Copy"

Securely copy the newly created token to your clipboard for immediate use.

12. Click "Done"

Complete the process by clicking 'Done' to save your settings and exit the token creation workflow.

This guide walked you through generating a Personal Access Token for CISO Assistant. Make sure that you save it and use it using secure channels/tools and be cautious of its impact as it inherents your permissions on the app.

Once created, the value cannot be seen nor edited. You'll have to generate a new one to do so.

CISO Assistant: initial setup

Start your journey with CISO Assistant by setting up your organization’s domains, perimeters, and users

Go to your-ciso-assistant-instance

1. Introduction

This guide walks you through configuring essential security frameworks and risk matrices to establish a robust compliance foundation.

2. Click "Organization"

Navigate to the Organization section to begin configuring your company settings.

3. Click "Domains"

Access the Domains tab to manage your organization's domain information.

4. Click here

Initiate adding a new domain by clicking the add button.

5. Click here

Open the domain creation form to input new domain details. Markdown is supported for the description.

6. Fill "ACME" (or any relevant domain name)

Enter your organization's domain name to register it within the system.

7. Click "Save"

Confirm and save the new domain to apply changes.

8. Click "ACME"

Select the newly created domain to configure its specific settings.

9. Click "Add perimeter"

Start adding a security perimeter to define access boundaries for the domain.

10. Click here

Open the perimeter creation interface to specify perimeter details.

11. Fill "Common"

Name the new perimeter to identify it clearly within your domain.

12. Click "Save"

Save the perimeter settings to establish the defined boundary.

13. Click "Users"

Go to the Users section to manage user accounts and permissions.

14. Click here

Begin adding a new user by selecting the add user option.

15. Click here

Open the user creation form to input user details.

16. Fill "alice@company.com"

Enter the user's email address to create their account.

17. Click "Save"

Save the new user profile to register them in the system.

18. Click "alice@company.com"

Select the newly added user to modify their settings.

19. Click "Edit"

Access the edit mode to update user roles and permissions.

20. Click here

Open the role assignment dropdown to select user roles.

21. Click "ACME - Analyst"

Choose the appropriate role for the user within the organization.

22. Click "Save"

Save the updated user role to apply changes.

23. Click "Catalog"

Navigate to the Catalog section to explore available frameworks and resources.

24. Click "Frameworks"

Access the Frameworks tab to browse compliance and security frameworks.

25. Click here

Open the framework search interface to find specific standards.

26. Click "Search..."

Use the search bar to locate a framework by name or keyword.

27. Fill "iso 27"

Enter the ISO 27001 framework to find relevant compliance information.

28. Click here

Select the ISO 27001 framework from the search results to view details.

29. Fill "nist csf"

Open the NIST CSF framework details for review and mapping.

30. Click here

Use the search function to find specific frameworks or resources.

31. Click "nist csf"

Access the Risk Matrices section to manage risk assessment tools.

32. Fill "Search..."

Open the risk matrix search to locate specific matrices.

33. Click "Risk matrices"

Search for critical risk matrices to prioritize high-impact risks.

34. Click here

Select the critical risk matrix to analyze and manage risks.

35. Click "Search..."

Navigate to the Mappings section to link frameworks and risk matrices.

36. Fill "critic"

Access the Risk Matrices tab within Mappings to review associations.

37. Click here

Switch to the Frameworks tab to manage framework mappings.

38. Click "Risk matrices"

Review the filtered entries to find specific standards and mappings.

39. Click "Frameworks"

Examine the details of the ISO/IEC 27001:2022 standard for information security compliance.

This guide covered setting up your organization in CISO Assistant, including domain and perimeter creation, user management, role assignments, and exploring compliance frameworks and risk matrices. It also detailed how to map frameworks to risk matrices for comprehensive security management.

Powered by guidde